Much has been said and written about the challenges that enterprises face today in light of the increased level of threat activity and the level of sophistication of the threats themselves. With disclosure of yet another high profile data breach happening with alarming regularity, what can an enterprise do to protect itself? Is technology unable to respond to these new threats?
Perhaps what we are seeing are the consequences of information technologies being deployed without sufficient regard to security rather than an inherent weakness in the technologies themselves. If that’s the case, then this should be considered as a clarion call to rethink how to secure the enterprise.
There is not just one way to apply security to a network and different organizations will take different approaches depending upon need and budget. For some organizations such as banking and retail, regulatory compliance such as PCI-DSS is a key driver. While PCI-DSS compliance is certainly a key consideration for these verticals, security should not stop at meeting what are relatively generic requirements. Other organizations will take it a step further by performing a risk assessment and assign security spend according to probabilities. This approach goes further than just compliance but the potential risks that an enterprise faces change on a near daily basis making the accuracy of an annual risk assessment questionable. Finally there is the “point product” approach, deploying key products from different vendors, under the assumption that each product is considered to be the best in its category. Although the best of breed approach has been considered the most comprehensive, a very practical issue is the increase in complexity and cost of managing such a collection of sophisticated and complex products.
A second issue facing enterprises is the erosion of a clearly defined network perimeter. Changes in technology and how business uses technology has resulted in a borderless attack surface, increasing the likelyhood of a successful attack and subsequent data breach.